### Перед использованием необходимо создать secret, содержащий сертификат CA кластера
# kubectl -n monitoring create secret tls kube-ca-secret \
# --cert=/etc/kubernetes/ssl/ca.crt \
# --key=/etc/kubernetes/ssl/ca.key
#
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: monitoring-issuer
  namespace: monitoring
spec:
  ca:
    secretName: kube-ca-secret
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: mon-certificate
  namespace: monitoring
spec:
  secretName: mon-tls
  duration: 9125h0m0s # 1y
  renewBefore: 360h0m0s # 15d
  subject:
    organizations:
    - arturs k8s
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
    rotationPolicy: Always
  usages:
    - server auth
    - client auth
  dnsNames:
  - kryukov.local
  - mon.kryukov.local
  issuerRef:
    name: monitoring-issuer
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
